{"info":{"_postman_id":"3a32ad52-d927-a42f-9858-3caf90a2d0c4","name":"AWS ElasticBeanstalk Audit","description":"

A simple collection to monitor Elastic Beanstalk environments. Introduced in http://blog.getpostman.com/2017/12/19/audit-your-aws-infrastructure-with-postman.

Auditing environments involves the following steps:

Fetch all enviromments using the provided access key id and secret token.
If there are additional enviroments to be fetched beyond the response of the first fetch request, extract the pagination token from the response and use it to repeat the fetch request.
Once there are no more enviroments to be fetched, save the list of enviroments as an environment variable.
Iterate over the list, repeating the configuration description request for each environment in the list. Once the config for an environment is known, compare it to a set of expected results to ensure compliance.

PS: This collection is most useful when run as a monitor, so as to run such audits on a periodic basis. You can also configure the inbuilt Slack integration for Postman monitors, so as to recieve instance alerts when things are amiss.

Required environment variables:

This collection requires the following environment variables:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Name	Description	Required
id	The access key id for the audit AWS user	Yes
key	The secret access key for the audit AWS user	Yes
awsRegion	The region to audit environments in. Defaults to us-east-1	No
maxRecords	The number of environments to retrieve per fetch call. Defaults to 100 (max)	No

","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[{"content":"Required environment variables:","slug":"required-environment-variables"}],"owner":"2876480","collectionId":"3a32ad52-d927-a42f-9858-3caf90a2d0c4","publishedId":"7LjD4kk","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"EF5B25"},"publishDate":"2017-12-18T20:17:55.000Z"},"item":[{"name":"Describe Environments","event":[{"listen":"test","script":{"id":"51a8cba2-db42-4531-84b7-599680594ee2","type":"text/javascript","exec":["pm.test('should have a valid response', function () {"," pm.response.to.be.ok;","});","","var envs,"," response = _.get(xml2Json(responseBody), 'DescribeEnvironmentsResponse.DescribeEnvironmentsResult'),"," nextToken = _.get(response, 'NextToken', ''),"," environments = _.get(response, 'Environments.member', []);","","try {"," envs = JSON.parse(pm.environment.get('environments') || '[]');","} catch (e) { // if the pre-existing environment list is invalid, simply log the error and move on."," console.log(e);","}","","pm.test('should have a valid environment list', function () {"," pm.expect(environments).to.be.an('array').and.not.be.empty;","});","","envs = _.isArray(envs) ? envs.concat(environments) : environments;","","pm.environment.set('environments', JSON.stringify(envs));","","// if a pagination nextToken exists, save it's value to an environemnt variable and loop back on the current request.","if (nextToken) {"," pm.environment.set('nextToken', nextToken);"," postman.setNextRequest(request.name);","}","else {"," pm.environment.unset('nextToken');","}"]}},{"listen":"prerequest","script":{"id":"2943cf8c-c1e6-41a0-a25f-81deb51ca3df","type":"text/javascript","exec":["// ensure that stale data left over from previous runs does not pollute the current one","if (!(pm.environment.get('environments') && pm.environment.get('nextToken'))) {"," !pm.environment.get('awsRegion') && pm.environment.set('awsRegion', 'us-east-1');"," !pm.environment.get('maxRecords') && pm.environment.set('maxRecords', 100);",""," // ensure that the environment list is always traversed from the first element."," pm.environment.unset('index');"," pm.environment.unset('environments');"," pm.environment.set('nextToken', '');",""," pm.environment.unset('envName');"," pm.environment.unset('appName');",""," pm.environment.unset('envArn');","}",""]}}],"id":"884fbbad-e940-b291-bea5-14cd8e9f6315","request":{"method":"GET","header":[{"key":"Content-Type","value":"application/x-www-form-urlencoded"},{"key":"X-Amz-Date","value":"20170425T091719Z"},{"key":"Authorization","value":"AWS4-HMAC-SHA256 Credential=AKIAJSC5VPELVYZXCMLA/20170425/us-east-1/elasticbeanstalk/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=62709d15c6ec8c5aa0ac67c8411f421b41c78b0994dcabca836e2ca0a7c3b3aa"}],"url":"https://elasticbeanstalk.{{awsRegion}}.amazonaws.com/?Operation=DescribeEnvironments&Version=2010-12-01&MaxRecords={{maxRecords}}&NextToken={{nextToken}}","description":"

An AWS Auth Signature verified GET request to fetch all elastic beanstalk environments under the Posmtan namepsace. All production environments are filtered and saved for all future operations within the collection run.

An AWS Auth Signature verified GET request to fetch environment configuration for each production environment obtained from the previous request i.e., Describe Environments.

The values of environment variables are also fetched within this request.

\n","auth":{"type":"awsv4","awsv4":{"0":"<0>","1":"<1>","2":"<2>","3":"<3>","4":"<4>","5":"<5>","6":"<6>","7":"<7>","8":"<8>","9":"<9>","10":"<10>","11":"<11>","12":"<12>","13":"<13>","14":"<14>","15":"<15>","16":"<16>","17":"<17>","18":"<18>","19":"<19>","20":"<20>","21":"<21>","22":"<22>","23":"<23>","24":"<24>","25":"<25>","26":"<26>","27":"<27>","28":"<28>","29":"<29>","30":"<30>","31":"<31>","32":"<32>","33":"<33>","34":"<34>","35":"<35>","36":"<36>","37":"<37>","38":"<38>","39":"<39>","40":"<40>","41":"<41>","42":"<42>","43":"<43>","44":"<44>","45":"<45>","46":"<46>","47":"<47>","48":"<48>","49":"<49>","50":"<50>","51":"<51>","52":"<52>","53":"<53>","54":"<54>","55":"<55>","56":"<56>","57":"<57>","58":"<58>","59":"<59>","60":"<60>","61":"<61>","62":"<62>","63":"<63>","64":"<64>","65":"<65>","66":"<66>","67":"<67>","68":"<68>","69":"<69>","70":"<70>","71":"<71>","72":"<72>","73":"<73>","74":"<74>","75":"<75>","76":"<76>","77":"<77>","78":"<78>","79":"<79>","80":"<80>","81":"<81>","82":"<82>","83":"<83>","84":"<84>","85":"<85>","86":"<86>","87":"<87>","88":"<88>","89":"<89>","90":"<90>","91":"<91>","92":"<92>","93":"<93>","94":"<94>","95":"<95>","96":"<96>","97":"<97>","98":"<98>","region":"{{awsRegion}}","service":"","serviceName":"","secretKey":"{{key}}","accessKey":"{{id}}"},"isInherited":true,"source":{"_postman_id":"3a32ad52-d927-a42f-9858-3caf90a2d0c4","id":"3a32ad52-d927-a42f-9858-3caf90a2d0c4","name":"AWS ElasticBeanstalk Audit","type":"collection"}},"urlObject":{"protocol":"https","path":[""],"host":["elasticbeanstalk","{{awsRegion}}","amazonaws","com"],"query":[{"key":"Operation","value":"DescribeConfigurationSettings"},{"key":"Version","value":"2010-12-01"},{"key":"EnvironmentName","value":"{{envName}}"},{"key":"ApplicationName","value":"{{appName}}"}],"variable":[]}},"response":[],"_postman_id":"acb9bcf0-22dd-9f17-d7dc-2908ab0c011b"},{"name":"List tags for resource","event":[{"listen":"prerequest","script":{"id":"2ae2a028-c5dd-4eec-bc3e-5dcd81dd219c","type":"text/javascript","exec":["var member,"," environments,"," index = Number(pm.environment.get(\"index\")) || 0;","","try {"," environments = JSON.parse(pm.environment.get(\"environments\"));",""," pm.environment.set(\"envArn\", _.get(environments, [index, 'EnvironmentArn']));","} catch (e) {"," console.error(e);","}",""]}},{"listen":"test","script":{"id":"4b5d4991-d9ae-4e52-9822-95e93b429587","type":"text/javascript","exec":["pm.test('should have a valid response', function () {"," pm.response.to.be.ok;","});","","var os,"," key,"," tier,"," stack,"," tagSet,"," config,"," policies,"," env = {},"," percentage,"," tagSet = {},"," environments,"," _tests = {}, // store tests here so that only failed ones can be shown later"," threshold = Number(pm.environment.get('threshold')) || 90,"," limit = parseInt(threshold * 40.96, 10),"," index = Number(pm.environment.get('index')) || 0,"," stackPattern = /^64bit\\sAmazon\\sLinux\\s(\\d{4}\\.\\d{2}\\sv(\\d\\.){2}\\d)\\srunning\\s(\\w+)\\s((\\d+\\.){2}\\d)(-ce)?$/,"," tags = _.get(xml2Json(responseBody), 'ListTagsForResourceResponse.ListTagsForResourceResult.ResourceTags.member', []),",""," /*"," * An elementary recreation of semver.gte."," *"," * @param {String} base - A pseudo semver string to compare."," * @param {String} target - A pseudo semver string to be compared against."," * @returns {Boolean} - A flag to represent the gte state of base vs target."," */"," gte = function (base, target) {"," base = _(base).split('-').get(0, '').split('.').map(Number);"," target = _(target).split('-').get(0, '').split('.').map(Number);",""," return base.every(function (val, i) {"," return val >= target[i];"," });"," };","","try {"," environments = JSON.parse(pm.environment.get(\"environments\"));",""," // Update environment information with the EC2 instance details."," pm.environment.set(\"environments\", JSON.stringify(_.set(environments, `${pm.environment.get('index')}.ResourceTags`, tags)));",""," env = environments[index];","} catch (e) {"," console.log(e);","}","","pm.test('should have a non-empty list of environments', function () {"," pm.expect(environments).to.be.an('array').and.not.be.empty;","});","","config = env.ConfigurationSettings || {};","percentage = Number((config.EnvironmentVariables.length / 40.96).toFixed(2));","","// Scaling configuration checks","_tests[`${env.EnvironmentName} should have an auto scaled, load balanced environment (${config.EnvironmentType})`] = config.EnvironmentType === 'LoadBalanced';","_tests[`${env.EnvironmentName} should have a minimum instance count >= 2 (${config.MinInstancesInService})`] = Number(config.MinInstancesInService) >= 2;","_tests[`${env.EnvironmentName} should have a max instance count >= 4 (${config.MaxSize})`] = Number(config.MaxSize) >= 4;","_tests[`${env.EnvironmentName} should have availabilty zones set to 'Any' (${config['Availability Zones']})`] = config['Availability Zones'] === 'Any';","_tests[`${env.EnvironmentName} should use scaling cooldown of at least 600 seconds (${config.Cooldown})`] = Number(config.Cooldown) >= 600;","_tests[`${env.EnvironmentName} should have a well defined scale measure name (${config.MeasureName})`] = config.MeasureName;","_tests[`${env.EnvironmentName} should have a valid scaling statistic (${config.Statistic})`] = config.Statistic === 'Average';","_tests[`${env.EnvironmentName} should use a valid scaling unit (${config.Unit})`] = config.Unit;","_tests[`${env.EnvironmentName} should use a scaling measurement period of 5 minutes (${config.Period})`] = config.Period === '5';","_tests[`${env.EnvironmentName} should use a breach duration of 5 minutes (${config.BreachDuration})`] = config.BreachDuration === '5';","_tests[`${env.EnvironmentName} should have a valid upper threshold (${config.UpperThreshold})`] = config.UpperThreshold;","_tests[`${env.EnvironmentName} should use an upper breach scale increment of 2 (${config.UpperBreachScaleIncrement})`] = config.UpperBreachScaleIncrement >= '2';","_tests[`${env.EnvironmentName} should have a lower threshold (${config.LowerThreshold})`] = config.LowerThreshold;","_tests[`${env.EnvironmentName} should use a lower breach scale factor of -1 (${config.LowerBreachScaleIncrement})`] = config.LowerBreachScaleIncrement >= '-1';","","","","","// Instance configuration checks","_tests[`${env.EnvironmentName} should have a valid instance class (${config.InstanceType})`] = config.InstanceType;","_tests[`${env.EnvironmentName} should have a valid security group (${config.SecurityGroups})`] = config.SecurityGroups;","_tests[`${env.EnvironmentName} should have a valid EC2 key (${config.EC2KeyName})`] = config.EC2KeyName;","_tests[`${env.EnvironmentName} should use an iam instance profile role of aws-elasticbeanstalk-ec2-role (${config.IamInstanceProfile})`] = config.IamInstanceProfile === 'aws-elasticbeanstalk-ec2-role';","_tests[`${env.EnvironmentName} should have an instance evaluation period of 1 minute (${config.MonitoringInterval})`] = config.MonitoringInterval === '1 minute';","_tests[`${env.EnvironmentName} should have a valid AMI id (${config.ImageId})`] = config.ImageId;","_tests[`${env.EnvironmentName} should use a root volume size of at least 5 GB (${config.RootVolumeSize})`] = Number(config.RootVolumeSize) >= 5;","_tests[`${env.EnvironmentName} should have a General SSD root volume: gp2 (${config.RootVolumeType})`] = config.RootVolumeType === 'gp2'; // gp2 is an AWS codename for General SSD :/","// See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html for more details","","","","","// Notification configuration checks","_tests[`${env.EnvironmentName} should send system notifications to a valid endpoint (${config['Notification Endpoint']})`] = config['Notification Endpoint'];","_tests[`${env.EnvironmentName} should use a valid notification protocol (${config['Notification Protocol']})`] = config['Notification Protocol'];","_tests[`${env.EnvironmentName}'s notification topic arn should be valid (${config['Notification Topic ARN']})`] = /^arn:aws:sns:.*:\\d{12}:ElasticBeanstalkNotifications-Environment-/.test(config['Notification Topic ARN']);","","","","","// Software configuration checks","_tests[`${env.EnvironmentName} should have log publication control set to true (${config.LogPublicationControl})`] = config.LogPublicationControl === 'true';","_tests[`${env.EnvironmentName} should retain logs for at least 7 days (${config.RetentionInDays})`] = Number(config.RetentionInDays) >= 7;","","// the config object also contains your environment variables, so additional tests around them can be added here","_tests[`${env.EnvironmentName} should have less than ${limit}: ${threshold}% bytes of env vars (${config.EnvironmentVariables.length}: ${percentage}%)`] = percentage < threshold;","","","","// Updates and deployment configuration checks","_tests[`${env.EnvironmentName} should deploy on a Rolling basis (${config.DeploymentPolicy})`] = config.DeploymentPolicy === 'Rolling';","_tests[`${env.EnvironmentName} should use a batch size type of percentage (${config.BatchSizeType})`] = config.BatchSizeType === 'Percentage';","_tests[`${env.EnvironmentName} should have a valid batch size (${config.BatchSize})`] = config.BatchSize;","_tests[`${env.EnvironmentName} should use rolling updates (${config.RollingUpdateEnabled})`] = config.RollingUpdateEnabled === 'true';","_tests[`${env.EnvironmentName} should use update config on a health basis (${config.RollingUpdateType})`] = config.RollingUpdateType === 'Health';","_tests[`${env.EnvironmentName} should have a valid max batch size (${config.MaxBatchSize})`] = Number(config.MaxBatchSize);","_tests[`${env.EnvironmentName} should have a valid min instance count (${config.MinSize})`] = Number(config.MinSize);","_tests[`${env.EnvironmentName} should have a health check success threshold of ok (${config.HealthCheckSuccessThreshold})`] = config.HealthCheckSuccessThreshold === 'Ok';","_tests[`${env.EnvironmentName} should NOT ignore health checks during deployments (${config.IgnoreHealthCheck})`] = config.IgnoreHealthCheck === 'false';","_tests[`${env.EnvironmentName} should have a EC2 command timeout of at least 600 (${config.CommandTimeout})`] = Number(config.CommandTimeout) >= 600;","","","","","// Health configuration checks","_tests[`${env.EnvironmentName} should use a valid healthcheck url (${config['Application Healthcheck URL']})`] = config['Application Healthcheck URL'] === '/health';","_tests[`${env.EnvironmentName} should use the service aws-elasticbeanstalk-generic-role service role (${config.ServiceRole})`] = config.ServiceRole === 'aws-elasticbeanstalk-generic-role';","_tests[`${env.EnvironmentName} should use enhanced health reporting (${config.SystemType})`] = config.SystemType === 'enhanced';","","","","","// Managed updates","_tests[`${env.EnvironmentName} should use managed actions (${config.ManagedActionsEnabled})`] = config.ManagedActionsEnabled === 'true';","_tests[`${env.EnvironmentName} should have managed updates set for Monday (${config.PreferredStartTime} UTC)`] = _.startsWith(config.PreferredStartTime, 'MON');","_tests[`${env.EnvironmentName} should use an update level of patch (${config.UpdateLevel})`] = config.UpdateLevel === 'patch';","_tests[`${env.EnvironmentName} should automatically terminate unhealthy instances (${config['Automatically Terminate Unhealthy Instances']})`] = config['Automatically Terminate Unhealthy Instances'] === 'true';","","","","","// Load Balancing configuration checks","_tests[`${env.EnvironmentName} should have listeners enabled (${config.ListenerEnabled})`] = config.ListenerEnabled === 'true';","_tests[`${env.EnvironmentName} should use cross zone load balancing (${config.CrossZone})`] = config.CrossZone === 'true';","_tests[`${env.EnvironmentName} should have a valid certificate ID (${config.SSLCertificateId})`] = config.SSLCertificateId;","_tests[`${env.EnvironmentName} should have connection draining set to true (${config.ConnectionDrainingEnabled})`] = config.ConnectionDrainingEnabled === 'true';","_tests[`${env.EnvironmentName} should use a connection draining timeout >= 100 seconds (${config.ConnectionDrainingTimeout})`] = Number(config.ConnectionDrainingTimeout) >= 100;","","policies = _.get(env, 'LoadBalancer.Policies', {});","","_tests[`${env.EnvironmentName} should not use AppCookieStickinessPolicies (${policies.AppCookieStickinessPolicies})`] = !policies.AppCookieStickinessPolicies;","_tests[`${env.EnvironmentName} should not use LBCookieStickinessPolicies (${policies.LBCookieStickinessPolicies})`] = !policies.LBCookieStickinessPolicies;","_tests[`${env.EnvironmentName} should use HTTPS:443/health as the health check target (${config.Target})`] = config.Target === 'HTTPS:443/health';","_tests[`${env.EnvironmentName} should perform health checks every 100 seconds (${config.Interval})`] = Number(config.Interval) <= 100;","_tests[`${env.EnvironmentName} should timeout health checks after 50 seconds (${config.HealthTimeout})`] = Number(config.HealthTimeout) <= 50;","_tests[`${env.EnvironmentName} should have a healthy threshold of 5 or more (${config.HealthyThreshold})`] = Number(config.HealthyThreshold) >= 5;","_tests[`${env.EnvironmentName} should have an unhealthy threshold >= 5 (${config.UnhealthyThreshold})`] = Number(config.UnhealthyThreshold) >= 5;","_tests[`${env.EnvironmentName} should refresh instances when needed (${config.InstanceRefreshEnabled})`] = config.InstanceRefreshEnabled === 'true';","","","","","// VPC configuration checks","_tests[`${env.EnvironmentName} should not have a public IP address (${config.AssociatePublicIpAddress})`] = config.AssociatePublicIpAddress !== 'true';","_tests[`${env.EnvironmentName} should use a valid vpc: (${config.VPCId})`] = config.VPCId;","_tests[`${env.EnvironmentName} should have a valid ELBSubnet (${config.ELBSubnets})`] = config.Subnets === config.ELBSubnets;","_tests[`${env.EnvironmentName} should have a valid subnet (${config.Subnets})`] = /^subnet-[a-z0-9]{8}$/.test(config.Subnets);","","","","","// Platform and environment naming configuration checks","tier = env.Tier || {};","stack = _.pick(env.SolutionStackName.match(stackPattern), [1, 3]);","os = _(stack).get(1, '').split(' v');","","// stack contains additional information, you can use it to add more checks","_tests[`${env.EnvironmentName} should use Amazon Linux >= 2017.09 v2.8.0 (${stack[1]})`] = gte(os[0], '2017.09') && gte(os[1], '2.8.0');","","_tests[`${env.EnvironmentName} has a standard tier type (${tier.Type})`] = tier.Type === 'Standard';","_tests[`${env.EnvironmentName} is on the web server tier (${tier.Name})`] = tier.Name === 'WebServer';","","// you might want to test that the environment name (env.EnvironmentName) follows a certain standard","// _tests[`${env.EnvironmentName}'s environment name should be valid`] = env.EnvironmentName;","","// the Key properties may vary depending on your setup","tagSet.environment = _.get(_.find(tags, { Key: 'environment' }), 'Value');","tagSet.type = _.get(_.find(tags, { Key: 'type' }), 'Value');","tagSet.name = _.get(_.find(tags, { Key: 'name' }), 'Value');","","_tests[`${env.EnvironmentName} should have a valid name tag (${tagSet.name})`] = tagSet.name;","_tests[`${env.EnvironmentName} should have a valid type tag (${tagSet.type})`] = tagSet.type;","_tests[`${env.EnvironmentName}'s environment tag should be valid (${tagSet.environment})`] = tagSet.environment;","","","","","// filter down to all failed tests for the current environment","_.assign(tests, _tests = _.reduce(_tests, function(result, value, key) {"," !value && (result[key] = value);"," return result;","}, {}));","","_.isEmpty(_tests) && (tests[`${env.EnvironmentName} passed all audit checks`] = true);","","// If there are more environments to process, move on to fetching the configuration for the next environment, else terminate.","postman.setNextRequest((index >= environments.length - 1) ? null : 'Describe Configuration Settings');"]}}],"id":"8eeda643-0d7e-d05b-0ddc-0b9f0737b6c4","request":{"method":"GET","header":[{"key":"Content-Type","value":"application/x-www-form-urlencoded"},{"key":"X-Amz-Date","value":"20170425T102550Z"},{"key":"Authorization","value":"AWS4-HMAC-SHA256 Credential=AKIAJSC5VPELVYZXCMLA/20170425/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=e45ce4d3f72bb476c4e09e39b9806e5154c01a5c5fce035a1fd051f8a10b054c"}],"url":"https://elasticbeanstalk.{{awsRegion}}.amazonaws.com/?Action=ListTagsForResource&Version=2010-12-01&ResourceArn={{envArn}}","description":"

An AWS Auth Signature verified GET request to fetch Cost Allocation Tags for the current environment ARN. A full fledged audit of the current environment configuration set is also performed in this request, after which flow passes on to the next environment.